Think Cybersecurity Doesn’t Impact Bricks-and-Mortar? Think Again!

If we’ve learned anything this past year, it’s that cybersecurity risks are getting worse not better—just ask Marriott. And for the real estate sector, the risks are no less daunting. We spoke with three executives of the real estate C-suite to find out the cybersecurity challenges (and associated mitigation techniques) they are dealing with.  

Properly Securing Tenant Data

Real estate entities are facing increased scrutiny based on the data they store on tenants, such as payment information and social security numbers used for credit checks/rental applications, etc. Furthermore, like most industries today, property management companies are increasingly using third party cloud-based applications to conduct business instead of building their own custom software. One of the many benefits of this approach, in addition to saving thousands of dollars on software development costs, is that it allows property management staff (who often spend time onsite at a property or working outside the office) to easily access data from any location or device.  In addition, third-party applications are maintained by others and constantly being updated with new products and features. However, cloud-based applications can be an easier target for data misappropriation.

So, if your real estate entity decides to go the cloud-based route, you—along with your vendors— must consider taking additional data security measures. It is imperative, both when you initially select the software and when you evaluate its annual performance, to determine whether every partner you share your data with protects it in the same manner you would if you were hosting the application.

Ben Zises, COO of TriArch Management, notes the importance of being conscious of cyber risks within his organization: “At TriArch we are extremely cognizant of data security and strive to implement best practices across the board in all areas of our business – security being no different.  Making sure we protect sensitive information given to us from tenants, vendors, employees, and other partners is of utmost importance to us and our clients.”

Any security consultant would likely recommend that a real estate firm reaches out to their software providers and request what is known as a Service Organization and Controls Report (SOC). Most industry leading SaaS providers often hire an independent firm to produce an SOC report that contains security evaluations and results on their business. Customers should request a copy of this report each year and make note of the following key components to look for:

• The auditor is reputable and his/her opinion is unqualified.
• The controls listed in the back of the report are effective and noted with no exceptions.
• You have controls to address the user control considerations listed.

If there are concerns noted in the report, it would be recommended to immediately contact the vendor to verify the concerns have been addressed and remediated.

Determining the Cost and Availability of IT Talent

One consistent theme we’ve heard during our client conversations was the use of outsourced IT providers. Michael Feldman, CEO of Choice NY, notes that he feels “more comfortable outsourcing IT to ensure he gets the most up-to-date expertise. With the advent of cloud technology, it has become easier to outsource the IT management to those who do it best. Firms no longer need to hire dedicated resources, thereby reducing back-end costs. However, companies need to be aware that not every IT firm is equal in security and diligence.”

Andre Kaplan, CFO of Orsid Reality, mentions that they perform an independent audit of their external IT provider each year. “We do this for a number of reasons. First, you want your vendors to know that you care about your company’s security and you are holding them accountable as a service provider. Second, you can identify and remediate vulnerabilities before they are potentially exploited by bad actors. Finally, an annual check-in with your IT provider lets you discuss new security opportunities that you may want to add to your current ones.”

Maintaining Public Reputation

You can’t watch the news, read a newspaper or look at your computer without seeing stories of companies that have had their data compromised. The costs of correcting the situation are not simply the high cost of alerting tenants and offering ID theft protection. The even greater harm can be the long-term damage to the company’s reputation.

Another important consideration for management companies is to obtain cyber insurance. It is an excellent way to reduce the costs associated with a cyber breach. Keep in mind that you must also obtain a cyber-crime policy in order to insure against the most common cyber incidents, such as ransomware (a computer or network  encrypted until a ransom is paid) and phishing (money erroneously wired by a  company representative to a bad actor).

Et Cetera

Beyond the aforementioned, you might also want to look at the vendor’s employee training regimen, how they document proper policy and risk assessments, if they perform vulnerability scans and penetration tests, and what the nature is of their proactive security monitoring. 

Cybersecurity is the proverbial marathon, not a sprint. It requires the dedication of time and resources to stay one step ahead of the ever-evolving bad actors. One thing is certain: This is not for the uninitiated. It does require the expert skills and deep experience of cybersecurity professionals. Inquire with colleagues; ask your trusted business advisors; perform your due diligence. Your company data is one of the most important assets you have. Do you really want to put its protection at the bottom of your to-do list?